没什么写的了,感觉以前的特征码搜索内核未导出函数效率不高,所以用KMP算法写了个,权当给大家省点敲代码的时间吧。
#define MAXKEYCODE 13//这是特征码的大小
ULONG Index_KMP(unsigned char* S,unsigned char* T,int pos,int next[])
{
int i=0,j=1,Len=next[0];//这里的串的第1个元素下标是1
DbgPrint("Seach:%x",S);
while(i<pos&& j<=Len)//i<=strlen((char*)S) &&
{
if(j==0 || S[i]==T[j])
{
++i;++j;//注意到这里的j==0,和++j的作用就知道为什么规定next[1]=0的好处了
}
else
{
j=next[j];//i不变(不回溯),j跳动
}
}
if(j>Len)
{
DbgPrint("Find !%x\n",S+i-Len);
return (ULONG)(S+i-Len);//匹配成功
}
else
DbgPrint("Seach End:%x",&S[i]);
return 0;
}
void Get_next(unsigned char Sub[],int next[])
{
int i=1,j=0;
next[1]=0;
while(i<next[0])
{
if(j == 0 || Sub[i] == Sub[j])
{
++i;
++j;
next[i] = j;
}
else
{
j=next[j];
}
}
}
ULONG FindIoWriteCrashDump()//,PDRIVER_OBJECT pDriverObj
{
NTSTATUS status = STATUS_SUCCESS;
UNICODE_STRING ustrLinkName;
UNICODE_STRING ustrDevName;
PDEVICE_OBJECT pDevObj;
ULONG i, curAddr;
PUCHAR FileContent;
DWORD dwRet,dwSize;
PVOID pTmp;
ULONG uRet=0;
int next[MAXKEYCODE+1]={MAXKEYCODE};
unsigned char KeyCode[MAXKEYCODE+1]=
{
0x1, //这个不是特征码,随便写个就行。
0x8B ,0xFF, //mov edi, edi
0x55, //push ebp
0x8B ,0xEC, //mov ebp, esp
0x81,0xEC,0x94,0x00,0x00,0x00, //sub esp, 94h
0x53, //push ebx
0x56, //push esi
// 0xE8,0x77,0xE7,0xFF,0xFF, //call KdCheckForDebugBreak
// 0x8B,0x4D,0x24, //mov ecx, [ebp+arg_1C]
// 0x33,0xDB, //xor ebx, ebx
};//特征码的数组
NtoskrnlBase = (ULONG)GetModlueBaseAdress( "ntoskrnl.exe",0 );
//DbgPrint("ntoskrnl.exe: 0x%08lx\n", (PVOID)g_ntoskrnl_base);
if ( 0 == NtoskrnlBase ) {
DbgPrint("ERROR: NtoskrnlBase == 0\n");
goto _x_;
}
Get_next(KeyCode, next);
uRet=Index_KMP((unsigned char* )NtoskrnlBase +0x50000,KeyCode,0x100000,next);//搜索特征码,从NtoskrnlBase +0x50000搜索起,一直搜索0x100000个字节
_x_:
return uRet;
}
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!